subdomains brute force enum and finding tools

Enumerating subdomain when performing recon (or asset identification) is a task that you will (and should) perform regularly.


Alterations & permutations of already known subdomains

Online DNS tools

spyse []
nmmapper []

SSL certificates

Certificate Transparency website []
— uses certificate fingerprinting – will get all the ssl certs and give you domain names

Search engines

google []
bing []

Public datasets

virustotal [] []

DNS aggregators

dnsdumpster [] is a FREE domain research tool that can discover hosts related to a domain. Finding visible hosts from the attackers perspective is an important part of the security assessment process.

nmmapper []

Git repositories


Text parsing (HTML, JavaScript, documents…)

VHost discovery

VHost discovery, within the context of enumerating subdomains for a host, is a critical reconnaissance technique used in cybersecurity and penetration testing. It involves systematically identifying additional subdomains associated with a particular target domain. This process is essential for security professionals as it helps to uncover potentially overlooked entry points or vulnerabilities in a target’s web infrastructure. By conducting VHost discovery, one can identify and map subdomains that may host web applications, services, or assets connected to the target organization. These subdomains could potentially serve as attack vectors, making them valuable for both offensive and defensive security strategies. Common methods for VHost discovery include brute-force subdomain guessing, utilizing search engines and online tools, and examining DNS records. Effective VHost discovery not only broadens the attack surface but also assists organizations in identifying potential weaknesses in their web infrastructure for remediation.

ASN discovery

ASN (Autonomous System Number) discovery is a valuable technique employed during the process of enumerating subdomains for a host. It involves identifying the Autonomous System to which a target host belongs. Each ASN corresponds to a unique organization or entity, and understanding this association can aid security professionals in finding related subdomains. By querying internet registries or utilizing specialized tools, one can determine the ASN for a given host. This information is crucial for expanding the scope of subdomain enumeration since subdomains are often logically organized within an ASN. Security analysts can then concentrate their efforts on discovering subdomains associated with the identified ASN, which may lead to finding additional assets and attack vectors. ASN discovery is a vital step in thorough reconnaissance and helps both attackers and defenders understand the broader infrastructure context of a target, enhancing overall security assessment and management.

Reverse DNS

Reverse DNS, in the context of enumerating subdomains for a host, is a technique that involves querying the Domain Name System (DNS) to discover subdomains associated with a specific host or IP address. It works by performing a reverse DNS lookup, which translates an IP address back into a domain name. While reverse DNS is primarily used to map IP addresses to hostnames, it can also be employed to reveal subdomains. By systematically querying IP addresses within the range of a target host or network block and examining the resulting domain names, security professionals can uncover subdomains that might not be evident through traditional forward DNS lookups. This method is particularly valuable for reconnaissance and security assessments, as it helps in building a comprehensive list of subdomains associated with the target host, contributing to a more thorough understanding of the target’s online presence and potential attack surfaces.

here’s an example of how to perform a reverse DNS lookup using the dig command to enumerate subdomains for a specific IP address:

dig -x [IP_ADDRESS]

Replace [IP_ADDRESS] with the actual IP address you want to perform a reverse DNS lookup on.

This command will provide you with the reverse DNS records associated with the IP address, revealing the domain names or subdomains associated with it. It’s important to note that the results may not always include subdomains, but it can be a useful part of the reconnaissance process for identifying related domain names and subdomains associated with a specific IP address.

Zone transfer (AXFR)
DNSSEC zone walking
DNS cache snooping
Content-Security-Policy HTTP headers
Sender Policy Framework (SPF) records
Subject Alternate Name (SAN)



apt install sublist3r

Sublist3r (

owasp amass

Amass (
— install it and run it
— this could be an awesome post for jonathansblog

amass enum --passive -d


DNSRecon ( is a Python script that provides the ability to perform:

  • Check all NS Records for Zone Transfers.
  • Enumerate General DNS Records for a given Domain (MX, SOA, NS, A, AAAA, SPF and TXT).
  • Perform common SRV Record Enumeration.
  • Top Level Domain (TLD) Expansion.
  • Check for Wildcard Resolution.
  • Brute Force subdomain and host A and AAAA records given a domain and a wordlist.
  • Perform a PTR Record lookup for a given IP Range or CIDR.
  • Check a DNS Server Cached records for A, AAAA and CNAME
  • Records provided a list of host records in a text file to check.
  • Enumerate Hosts and Subdomains using Google
dnsrecon –d


sn0int is a semi-automatic OSINT framework and package manager. It was built for IT security professionals and bug hunters to gather intelligence about a given target or about yourself. sn0int is enumerating attack surface by semi-automatically processing public information and mapping the results in a unified format for followup investigations.

Among other things, sn0int is currently able to:

  • Harvest subdomains from certificate transparency logs
  • Harvest subdomains from various passive dns logs
  • Sift through subdomain results for publicly accessible websites
  • Harvest emails from pgp keyservers
  • Enrich ip addresses with ASN and geoip info
  • Harvest subdomains from the wayback machine
  • Gather information about phonenumbers
  • Bruteforce interesting urls

Other Tools:

Leave a Reply